https://community.cloudera.com/t5/Support-Questions/acessing-the-STORM-UI-with-HDP-2-3-Kerberized-cluster/m-p/94721#M58111 <OL> <LI>Make sure ui kerberos auth to local rules are configured properly. Once principle from AD is used for negotiation with MIT KDC, there need to be a rule that translate it to local account in Storm UI node. Many times those can be copied from core-site.xml. For example:</LI></OL><P>ui.filter.params:"type": "kerberos""kerberos.principal": "HTTP/nimbus.witzend.com""kerberos.keytab": "/vagrant/keytabs/http.keytab""kerberos.name.rules": "RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/$MAPRED_USER/ RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/$HDFS_USER/DEFAULT"</P><P>Note that rules are listed as string without commas.</P><P>2. You will need to create mapping for MIT Domain KDC and correlated resource used for the Domain, in this case Storm UI. You will need to execute following commands on Windows workstation from the command line:</P><P>ksetup /AddKDC $DOMAIN $KDC </P><P>ksetup /AddHostToRealmMap $hadoop_resource $Domain</P><P>Note that this adds registry entries in:</P><P>HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\HostToRealm</P><P>If you need to troubleshoot the issues you can try accessing Storm UI within the cluster using curl command. For example:</P><P>curl -i --negotiate -u:anyUser -b ~/cookiejar.txt -c ~/cookiejar.txt <A href="http://storm-ui-hostname:8080/api/v1/cluster/summary">http://storm-ui-hostname:8080/api/v1/cluster/summary</A></P><P>This will be helpful to see if kerberos UI configs are working.</P><P>In order to isolate the issue you can use storm service keytabs as well as user principles. </P><P>Another important thing to check is to make sure that trust is working properly and encryption types match on both KDCs.</P> Fri, 02 Oct 2015 06:52:50 GMT schintalapani 2015-10-02T06:52:50Z https://community.cloudera.com/t5/Support-Questions/acessing-the-STORM-UI-with-HDP-2-3-Kerberized-cluster/m-p/94720#M58110 <P>All users are defined locally without any AD integration. The cluster is Kerberized on HDP 2.3 and Ambari 2.1.0. The knit fails as follow:</P><P> <STRONG>kinit: krb5_init_creds_set_keytab: Failed to find kafka/<A href="mailto:hdpblv10.t-mobile.lab@T-MOBILE.LAB">hdpblv10.t-mobile.lab@T-MOBILE.LAB</A> in keytab FILE:/etc/security/keytabs/kafka.service.keytab (unknown enctype) .</STRONG></P><P>The Storm UI uses SPNEGO AUTH when in Kerberos mode. Before accessing the UI, you have to we configured our browser for SPNEGO authorization before accessing the UI as follow:</P><P><STRONG>Safari: </STRONG> no changes needed. <STRONG>Firefox: </STRONG> 1) Go to about:config and search for network.negotiate-auth.trusted-uris. 2) Double-click and add the following value: "<A href="http://storm-ui-hostname:ui-port/">http://storm-ui-hostname:ui-port</A>" 3) Replace the storm-ui-hostname with the hostname where your UI is running. 4) Replace the ui-port with the Storm UI port. <STRONG>Google-chrome: </STRONG> from the command line, issue: google-chrome --auth-server-whitelist="storm-ui-hostname" --auth-negotiate-delegate-whitelist="storm-ui-hostname" <STRONG>Internet Explorer: </STRONG> 1) Configure trusted websites to include "storm-ui-hostname". 2) Allow negotiation for the UI website. </P> Fri, 02 Oct 2015 06:48:55 GMT https://community.cloudera.com/t5/Support-Questions/acessing-the-STORM-UI-with-HDP-2-3-Kerberized-cluster/m-p/94720#M58110 ddubeau1 2015-10-02T06:48:55Z https://community.cloudera.com/t5/Support-Questions/acessing-the-STORM-UI-with-HDP-2-3-Kerberized-cluster/m-p/94721#M58111 <OL> <LI>Make sure ui kerberos auth to local rules are configured properly. Once principle from AD is used for negotiation with MIT KDC, there need to be a rule that translate it to local account in Storm UI node. Many times those can be copied from core-site.xml. For example:</LI></OL><P>ui.filter.params:"type": "kerberos""kerberos.principal": "HTTP/nimbus.witzend.com""kerberos.keytab": "/vagrant/keytabs/http.keytab""kerberos.name.rules": "RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/$MAPRED_USER/ RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/$HDFS_USER/DEFAULT"</P><P>Note that rules are listed as string without commas.</P><P>2. You will need to create mapping for MIT Domain KDC and correlated resource used for the Domain, in this case Storm UI. You will need to execute following commands on Windows workstation from the command line:</P><P>ksetup /AddKDC $DOMAIN $KDC </P><P>ksetup /AddHostToRealmMap $hadoop_resource $Domain</P><P>Note that this adds registry entries in:</P><P>HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\HostToRealm</P><P>If you need to troubleshoot the issues you can try accessing Storm UI within the cluster using curl command. For example:</P><P>curl -i --negotiate -u:anyUser -b ~/cookiejar.txt -c ~/cookiejar.txt <A href="http://storm-ui-hostname:8080/api/v1/cluster/summary">http://storm-ui-hostname:8080/api/v1/cluster/summary</A></P><P>This will be helpful to see if kerberos UI configs are working.</P><P>In order to isolate the issue you can use storm service keytabs as well as user principles. </P><P>Another important thing to check is to make sure that trust is working properly and encryption types match on both KDCs.</P> Fri, 02 Oct 2015 06:52:50 GMT https://community.cloudera.com/t5/Support-Questions/acessing-the-STORM-UI-with-HDP-2-3-Kerberized-cluster/m-p/94721#M58111 schintalapani 2015-10-02T06:52:50Z https://community.cloudera.com/t5/Support-Questions/acessing-the-STORM-UI-with-HDP-2-3-Kerberized-cluster/m-p/94722#M58112 <P>Regarding the kinit error. Did you execute this manually on the client host or was the error message retrieved from a log file a node in the cluster?</P><P>If you received this message while kinit-ing manually on your client host, why are you attempting to authenticate using a service principal, rather than your user principal? </P><P>Can you list the contents of the keytab file? </P><PRE>klist -kte /etc/security/keytabs/kafka.service.keytab</PRE><P>Does it contain entries different than the hdfs keytab file?</P><PRE>klist -kte /etc/security/keytabs/hdfs.headless.keytab</PRE><P>Both listings should have the same number of keytab entries with the same encryption types. For example:</P><PRE>Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab KVNO Timestamp Principal ---- ----------------- ---------------------------------------------- 1 10/02/15 10:19:29 hdfs-c1@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 1 10/02/15 10:19:29 hdfs-c1@EXAMPLE.COM (arcfour-hmac) 1 10/02/15 10:19:29 hdfs-c1@EXAMPLE.COM (des3-cbc-sha1) 1 10/02/15 10:19:29 hdfs-c1@EXAMPLE.COM (des-cbc-md5) 1 10/02/15 10:19:29 hdfs-c1@EXAMPLE.COM (aes256-cts-hmac-sha1-96)</PRE> Fri, 02 Oct 2015 17:24:20 GMT https://community.cloudera.com/t5/Support-Questions/acessing-the-STORM-UI-with-HDP-2-3-Kerberized-cluster/m-p/94722#M58112 rlevas 2015-10-02T17:24:20Z https://community.cloudera.com/t5/Support-Questions/acessing-the-STORM-UI-with-HDP-2-3-Kerberized-cluster/m-p/94723#M58113 <P>These were the steps I used to get the Storm UI working on my Mac on kerborized HDP 2.3 (search for 'Open kerborized browser'):</P><P><A href="https://github.com/abajwa-hw/security-workshops/blob/master/Setup-ranger-23.md#setup-storm-plugin-for-ranger">https://github.com/abajwa-hw/security-workshops/blob/master/Setup-ranger-23.md#setup-storm-plugin-for-ranger</A></P> Fri, 02 Oct 2015 18:56:56 GMT https://community.cloudera.com/t5/Support-Questions/acessing-the-STORM-UI-with-HDP-2-3-Kerberized-cluster/m-p/94723#M58113 abajwa 2015-10-02T18:56:56Z